redline | d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4

General

Target

d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe
Size

365KB
MD5

667df7fcbe531eb97d1519444b96dae6
SHA1

405dcd089ac54417b9ba61900d6da288b72aa325
SHA256

d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4
SHA512

7b546655bec035e489d22b56bb9598f3f42eb65d4d229acb0dbbe7594486f68861e262f8bff2dd17d8b61a3e1ac3bc35281815688d29a1c23ae6f9e0f1b8a918

Score

10^/10

redline 1132044836 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

1132044836

C2

185.183.32.184:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2868-118-0x00000000023F0000-0x000000000241E000-memory.dmp	family_redline
behavioral1/memory/2868-120-0x0000000005030000-0x000000000505C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe

pid process

2868 d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe

description pid process

Token: SeDebugPrivilege 2868 d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe

pid	process
2868	d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe

description	pid	process
Token: SeDebugPrivilege	2868	d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe

C:\Users\Admin\AppData\Local\Temp\d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe
"C:\Users\Admin\AppData\Local\Temp\d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-116-0x0000000000730000-0x0000000000769000-memory.dmp

Filesize
228KB

Download
memory/2868-115-0x00000000006E0000-0x000000000070B000-memory.dmp

Filesize
172KB

Download
memory/2868-117-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2868-118-0x00000000023F0000-0x000000000241E000-memory.dmp

Filesize
184KB

Download
memory/2868-119-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2868-120-0x0000000005030000-0x000000000505C000-memory.dmp

Filesize
176KB

Download
memory/2868-122-0x0000000004B22000-0x0000000004B23000-memory.dmp

Filesize
4KB

Download
memory/2868-121-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2868-123-0x0000000004B23000-0x0000000004B24000-memory.dmp

Filesize
4KB

Download
memory/2868-124-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2868-125-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2868-126-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2868-127-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/2868-128-0x0000000004B24000-0x0000000004B26000-memory.dmp

Filesize
8KB

Download
memory/2868-129-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/2868-130-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/2868-131-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/2868-132-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/2868-133-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/2868-134-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/2868-135-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/2868-136-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing